ardamax | 7ad4caa63ae70d62032c166e184120732456c15232fce48309a16ba8ebac9d74

General

Target

3dbd389b7c8810194e648107932b247b_JaffaCakes118.exe
Size

1.1MB
MD5

3dbd389b7c8810194e648107932b247b
SHA1

6067d142d94eecf84b70507179ef51bd4b2e53cb
SHA256

7ad4caa63ae70d62032c166e184120732456c15232fce48309a16ba8ebac9d74
SHA512

653dad8a484f9371bf6ea0a6aeb253962b1d04e398a5a51c5e2d855524d3e2810f79d586c86cfc39f6f08a2fc1111e8ca70ed5668274af4755dd77bed7096a78
SSDEEP

24576:3PS4zXuJH6m0hl9lUtWr4DQnHJEBLl+TSExYslKfFw7:K4zoanetWrzHJuLlKSe7

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000234eb-47.dat	family_ardamax

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	3dbd389b7c8810194e648107932b247b_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3dbd389b7c8810194e648107932b247b_JaffaCakes118.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	3dbd389b7c8810194e648107932b247b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	Exporer32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	keylogger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	DSNY.exe

Executes dropped EXE 3 IoCs

pid	Process
4932	Exporer32.exe
3012	keylogger.exe
3788	DSNY.exe

Loads dropped DLL 5 IoCs

pid	Process
3012	keylogger.exe
3788	DSNY.exe
3788	DSNY.exe
3788	DSNY.exe
3276	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DSNY Agent = "C:\\Windows\\SysWOW64\\28463\\DSNY.exe"	DSNY.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\DSNY.007	keylogger.exe
File created	C:\Windows\SysWOW64\28463\DSNY.exe	keylogger.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	keylogger.exe
File opened for modification	C:\Windows\SysWOW64\28463	DSNY.exe
File created	C:\Windows\SysWOW64\28463\DSNY.001	keylogger.exe
File created	C:\Windows\SysWOW64\28463\DSNY.006	keylogger.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3276	3788	WerFault.exe	88

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	3dbd389b7c8810194e648107932b247b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ = "CPPTPDiagHelper Object"	3dbd389b7c8810194e648107932b247b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InprocServer32	3dbd389b7c8810194e648107932b247b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InprocServer32\ = "C:\\Windows\\SysWOW64\\RasDiag.dll"	3dbd389b7c8810194e648107932b247b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InprocServer32\ThreadingModel = "free"	3dbd389b7c8810194e648107932b247b_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	3812	3dbd389b7c8810194e648107932b247b_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3812	3dbd389b7c8810194e648107932b247b_JaffaCakes118.exe
Token: 33	3788	DSNY.exe
Token: SeIncBasePriorityPrivilege	3788	DSNY.exe
Token: SeIncBasePriorityPrivilege	3788	DSNY.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3812	3dbd389b7c8810194e648107932b247b_JaffaCakes118.exe
3788	DSNY.exe
3788	DSNY.exe
3788	DSNY.exe
3788	DSNY.exe
3788	DSNY.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 4932	3812	3dbd389b7c8810194e648107932b247b_JaffaCakes118.exe	86
PID 3812 wrote to memory of 4932	3812	3dbd389b7c8810194e648107932b247b_JaffaCakes118.exe	86
PID 3812 wrote to memory of 4932	3812	3dbd389b7c8810194e648107932b247b_JaffaCakes118.exe	86
PID 4932 wrote to memory of 3012	4932	Exporer32.exe	87
PID 4932 wrote to memory of 3012	4932	Exporer32.exe	87
PID 4932 wrote to memory of 3012	4932	Exporer32.exe	87
PID 3012 wrote to memory of 3788	3012	keylogger.exe	88
PID 3012 wrote to memory of 3788	3012	keylogger.exe	88
PID 3012 wrote to memory of 3788	3012	keylogger.exe	88
PID 3788 wrote to memory of 544	3788	DSNY.exe	96
PID 3788 wrote to memory of 544	3788	DSNY.exe	96
PID 3788 wrote to memory of 544	3788	DSNY.exe	96

C:\Users\Admin\AppData\Local\Temp\3dbd389b7c8810194e648107932b247b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3dbd389b7c8810194e648107932b247b_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Users\Admin\AppData\Local\Temp\Exporer32.exe
  "C:\Users\Admin\AppData\Local\Temp\Exporer32.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Users\Admin\AppData\Local\Temp\keylogger.exe
    "C:\Users\Admin\AppData\Local\Temp\keylogger.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\SysWOW64\28463\DSNY.exe
      "C:\Windows\system32\28463\DSNY.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3788
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 1068
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:3276
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\28463\DSNY.exe > nul
        5⤵
        
        PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3788 -ip 3788
1⤵
PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@DF92.tmp

Filesize
4KB

MD5
c3679c3ff636d1a6b8c65323540da371

SHA1
d184758721a426467b687bec2a4acc80fe44c6f8

SHA256
d4eba51c616b439a8819218bddf9a6fa257d55c9f04cf81441cc99cc945ad3eb

SHA512
494a0a32eef4392ecb54df6e1da7d93183473c4e45f4ac4bd6ec3b0ed8c85c58303a0d36edec41420d05ff624195f08791b6b7e018419a3251b7e71ec9b730e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exporer32.exe

Filesize
508KB

MD5
b1257eca1d2c78da09dfb1c7eadf51bf

SHA1
4e5a10ac708c5be4430ebb5e6995b98cf7a1be53

SHA256
566c0471937ea58c7d379ce6952f3e4483d6e0ecec82bb77f4f8d078189e8288

SHA512
8b42cf8eb73807ab1a03632d8e987124ce41d40b81b034e0e97035c0becc3eb7b1620b2fe545f2a9e409606d1358d0ed112b367b8e91dbd4ff2d897aa851632a

Download Submit
C:\Users\Admin\AppData\Local\Temp\keylogger.exe

Filesize
480KB

MD5
35dae0a4f90d05aea5a6f5f2c5e1f03d

SHA1
b05db43f4fe0ce4b4dea22fa0bbb3cf81d5610f1

SHA256
f245a4dd240c8f4aa049253e2aca5539cd8c7346f621c77578dd8acb2380661c

SHA512
4c50cd6dd103d656370b2e851a97d4865057d4f5eb524297329c898e3e68c91c574457973596595aaeba75abc3ce49483f237e0b636170993e610d04c8ad1c2a

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
395KB

MD5
b8fa30233794772b8b76b4b1d91c7321

SHA1
0cf9561be2528944285e536f41d502be24c3aa87

SHA256
14116fa79ccc105fabd312b4dff74933f8684c6b27db37e5e3a79d159092d29a

SHA512
10ce8b18e7afb8c7e30bb90b0a1f199ef0b77873fa7a9efc596606e151be6b516c0ec6222a9032bdcc527e80964f53d20a28fa1881a08b4df303b2e28204549d

Download Submit
C:\Windows\SysWOW64\28463\DSNY.001

Filesize
384B

MD5
e6c292248833457c384b4d3f03a17805

SHA1
bc490563b4047cceadfedaeab4f46274ffd997b4

SHA256
c18ce781067a7ab5146baf2f25a670ea16de4e9c3daf04bac237c7566aab9ddd

SHA512
c9f6cfe51d9ecb6c153ad7fb2ed1de3b945a2ce27d2a7620704ceb7b257c2b7c35fa67251c7750084f8836e656457373ea7ce5074d3d64fc162bb592f97e2738

Download Submit
C:\Windows\SysWOW64\28463\DSNY.006

Filesize
8KB

MD5
43f02e9974b1477c1e6388882f233db0

SHA1
f3e27b231193f8d5b2e1b09d05ae3a62795cf339

SHA256
3c9e56e51d5a7a1b9aefe853c12a98bf246039aa46db94227ea128f6331782ba

SHA512
e22d14735606fe75ee5e55204807c3f5531d3e0c4f63aa4a3b2d4bb6abda6128c7e2816753f2e64400ac6dae8f8ef1e013a7a464dff2a79ad9937c48821a067f

Download Submit
C:\Windows\SysWOW64\28463\DSNY.007

Filesize
5KB

MD5
b5a87d630436f958c6e1d82d15f98f96

SHA1
d3ff5e92198d4df0f98a918071aca53550bf1cff

SHA256
a895ad4d23e8b2c2dc552092f645ca309e62c36d4721ebfe7afd2eee7765d4b2

SHA512
fd7bae85a86bdaa12fec826d1d38728a90e2037cb3182ad7652d8a9f54c4b322734c587b62221e6f907fce24fcf2e0ae4cce1f5e3d8861661064b4da24bd87ce

Download Submit
C:\Windows\SysWOW64\28463\DSNY.exe

Filesize
473KB

MD5
17535dddecf8cb1efdba1f1952126547

SHA1
a862a9a3eb6c201751be1038537522a5281ea6cb

SHA256
1a3d28ac6359e58aa656f4734f9f36b6c09badadcf9fb900b9b118d90c38a9dd

SHA512
b4f31b552ab3bb3dafa365aa7a31f58674ae7ee82ce1d23457f2e7047431430b00abb3b5498491725639daf583b526b278a737168cfdc4e9ec796dfbc14a53d8

Download Submit
memory/3812-7-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/3812-23-0x0000000000550000-0x00000000005D9000-memory.dmp

Filesize
548KB

Download
memory/3812-26-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/3812-12-0x0000000000550000-0x00000000005D9000-memory.dmp

Filesize
548KB

Download
memory/3812-0-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/3812-9-0x0000000000550000-0x00000000005D9000-memory.dmp

Filesize
548KB

Download
memory/3812-8-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/3812-2-0x0000000000550000-0x00000000005D9000-memory.dmp

Filesize
548KB

Download
memory/4932-33-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads